ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-06 04:54:20 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: tests: fixes around to make it work under Linux and FreeBSD

Browse source
This commit is contained in:
Stéphane Lesimple 2020-11-17 11:33:30 +01:00
parent ec0d4256b8
commit 2605bdc73a
3 changed files with 82 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
tests/functional/launch_tests_on_instance.sh
View file

@ -15,16 +15,19 @@ account0="$3"
user_ssh_key_path="$4"
root_ssh_key_path="$5"
osh_etc="$6"
remote_basedir="$7"
[ -n "$osh_etc" ] || osh_etc=/etc/bastion
[ -n "$remote_basedir" ] || remote_basedir="$basedir"
[ -z "$HAS_ED25519" ] && HAS_ED25519=1
[ -z "$HAS_BLACKLIST" ] && HAS_BLACKLIST=0
[ -z "$HAS_MFA" ] && HAS_MFA=1
[ -z "$HAS_PAMTESTER" ] && HAS_PAMTESTER=1
[ -z "$nocc" ] && nocc=0
[ -z "$nowait" ] && nowait=0
[ -z "$TARGET" ] && TARGET=''
[ -z "$TEST_SCRIPT" ] && TEST_SCRIPT=''
[ -z "$HAS_ED25519" ] && HAS_ED25519=1
[ -z "$HAS_BLACKLIST" ] && HAS_BLACKLIST=0
[ -z "$HAS_MFA" ] && HAS_MFA=1
[ -z "$HAS_MFA_PASSWORD" ] && HAS_MFA_PASSWORD=0
[ -z "$HAS_PAMTESTER" ] && HAS_PAMTESTER=1
[ -z "$nocc" ] && nocc=0
[ -z "$nowait" ] && nowait=0
[ -z "$TARGET" ] && TARGET=''
[ -z "$TEST_SCRIPT" ] && TEST_SCRIPT=''
# die if using an unset var
set -u
@ -103,7 +106,7 @@ cat >"$mytmpdir/ssh_config" <<EOF
PasswordAuthentication no
RequestTTY yes
EOF
if [ "$HAS_MFA" = 1 ]; then
if [ "$HAS_MFA" = 1 ] || [ "$HAS_MFA_PASSWORD" = 1 ]; then
cat >>"$mytmpdir/ssh_config" <<EOF
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
@ -230,7 +233,7 @@ script() {
return
fi
tmpscript=$(mktemp -p $outdir)
tmpscript=$(mktemp)
echo "#! /usr/bin/env bash" > "$tmpscript"
echo "$*" >> "$tmpscript"
chmod 755 "$tmpscript"
@ -399,7 +402,7 @@ runtests()
COUNTONLY=0
echo === running unit tests ===
if ! $r0 perl "$basedir/tests/unit/run.pl"; then
if ! $r0 perl "$remote_basedir/tests/unit/run.pl"; then
printf "%b%b%b\\n" "$WHITE_ON_RED" "Unit tests failed :(" "$NOC"
exit 1
fi

32
tests/functional/tests.d/350-groups.sh
View file

@ -690,11 +690,11 @@ EOS
success selfListAccesses a3_list_own_accesses $a3 --osh selfListAccesses
json .command selfListAccesses .error_code OK
contain REGEX '77\.66\.55\.0/24\s+\(any\)\s+\(any\)\s+personal\s+'$account0'\s'
contain REGEX '1\.2\.3\.4\s+\(any\)\s+\(any\)\s+personal\s+'$account0'\s'
contain REGEX '77\.66\.55\.4\s+\(any\)\s+\(any\)\s+personal\s+'$account0'\s'
contain REGEX '127\.0\.0\.1\s+22\s+g1\s+'$group1'\(group-guest\)\s+'$account2'\s'
contain REGEX '10\.20\.0\.0/17\s+\(any\)\s+\(any\)\s+'$group3'\(group-member\)\s+'$account3'\s'
contain REGEX '77\.66\.55\.0/24[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]'
contain REGEX '1\.2\.3\.4[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]'
contain REGEX '77\.66\.55\.4[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]'
contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group-guest\)[[:space:]]+'$account2'[[:space:]]'
contain REGEX '10\.20\.0\.0/17[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group3'\(group-member\)[[:space:]]+'$account3'[[:space:]]'
contain "5 accesses listed"
run accountDelete notingroup $a1 --osh accountDelete --account $account2
@ -826,11 +826,11 @@ EOS
# group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11,127.0.0.12-TTL)
success groupListServers list $a1 --osh groupListServers --group $group1
json .command groupListServers .error_code OK
contain REGEX '127\.0\.0\.1\s+22\s+g1\s+'$group1'\(group\)\s+'$account2'\s'
contain REGEX '127\.0\.0\.2\s+22\s+g2\s+'$group1'\(group\)\s+'$account2'\s'
contain REGEX '127\.0\.0\.10\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s'
contain REGEX '127\.0\.0\.11\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s'
contain REGEX '127\.0\.0\.12\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s+\S+\s+00:00:[01][0123456789]'
contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]'
contain REGEX '127\.0\.0\.2[[:space:]]+22[[:space:]]+g2[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]'
contain REGEX '127\.0\.0\.10[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]'
contain REGEX '127\.0\.0\.11[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]'
contain REGEX '127\.0\.0\.12[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]+\S+[[:space:]]+00:00:[01][0123456789]'
contain '5 accesses listed'
# wait for the access to expire
@ -839,11 +839,11 @@ EOS
# group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11)
success groupListServers listttlexpired $a1 --osh groupListServers --group $group1
json .command groupListServers .error_code OK
contain REGEX '127\.0\.0\.1\s+22\s+g1\s+'$group1'\(group\)\s+'$account2'\s'
contain REGEX '127\.0\.0\.2\s+22\s+g2\s+'$group1'\(group\)\s+'$account2'\s'
contain REGEX '127\.0\.0\.10\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s'
contain REGEX '127\.0\.0\.11\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s'
nocontain REGEX '127\.0\.0\.12\s+\(any\)\s+\(any\)\s+'$group1'\(group\)\s+'$account1'\s'
contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]'
contain REGEX '127\.0\.0\.2[[:space:]]+22[[:space:]]+g2[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]'
contain REGEX '127\.0\.0\.10[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]'
contain REGEX '127\.0\.0\.11[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]'
nocontain REGEX '127\.0\.0\.12[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]'
contain '4 accesses listed'
# group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11)
@ -883,6 +883,8 @@ EOS
success groupModify guest_ttl_limit $a1 --osh groupModify --group $group1 --guest-ttl-limit 0
json .command groupModify .error_code OK
[ "$COUNTONLY" != 1 ] && sleep 1
# group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11)
success groupAddGuestAccess works $a1 --osh groupAddGuestAccess --group $group1 --account $account2 --port-any --user-any --host 127.0.0.10
contain "has now access"

97
tests/functional/tests.d/370-mfa.sh
View file

@ -37,9 +37,9 @@ testsuite_mfa()
a4_password=']BkL>3x#T)g~~B#rLv^!T2&N'
script mfa a4_setup_pass_step2of2 "echo 'set timeout 30; \
spawn $a4 --osh selfMFASetupPassword --yes; \
expect \":\" { send \"$a4_password_tmp\\n\"; }; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password_tmp\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
@ -52,17 +52,17 @@ testsuite_mfa()
# now try to connect after we have a pass
run mfa a4_connect_after_pass $a4f --osh groupList
if [ "$HAS_MFA" = 1 ]; then
if [ "$HAS_MFA" = 1 ] || [ "$HAS_MFA_PASSWORD" = 1 ]; then
# now we need a password, we don't enter it so it'll timeout (124)
retvalshouldbe 124
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
nocontain 'JSON_OUTPUT'
else
# our system doesn't support MFA so it still works without asking for a password
retvalshouldbe 0
nocontain 'Multi-Factor Authentication enabled'
nocontain 'Password:'
nocontain REGEX 'Password:|Password for'
json .command groupList .error_code OK_EMPTY
fi
@ -76,66 +76,71 @@ testsuite_mfa()
# setup group to force JIT egress MFA
script mfa a4_modify_g3_egress_mfa "echo 'set timeout 30; \
spawn $a4 --osh groupModify --group $group3 --mfa-required any; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
json .command groupModify .error_code OK
# check that the MFA is set for the group
script mfa a4_verify_g3_egress_mfa "echo 'set timeout 30; \
spawn $a4 --osh groupInfo --group $group3; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
json .command groupInfo .error_code OK
json .value.mfa_required any
# add 127.7.7.7 to this group
script mfa a4_add_g3_server "echo 'set timeout 30; \
spawn $a4 --osh groupAddServer --group $group3 --host 127.7.7.7 --user-any --port-any --force; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
# connect to 127.7.7.7 with MFA JIT, bad password
script mfa a4_connect_g3_server_badpass "echo 'set timeout 45; \
spawn $a4 root@127.7.7.7; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"word:\" { send \"BADPASSWORD\\n\"; }; \
expect \"word:\" { send \"BADPASSWORD\\n\"; }; \
expect \"word:\" { send \"BADPASSWORD\\n\\n\"; }; \
expect \"is required (password)\" { sleep 0.1; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \"is required (password)\" { sleep 0.1; }; \
expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
expect \"is required (password)\" { sleep 0.1; }; \
expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\"; }; \
expect \"is required (password)\" { sleep 0.1; }; \
expect \":\" { sleep 0.2; send \"BADPASSWORD\\n\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 125
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
contain 'pamtester: '
nocontain 'Permission denied'
# connect to 127.7.7.7 with MFA JIT, good password
script mfa a4_connect_g3_server_goodpass "echo 'set timeout 30; \
spawn $a4 root@127.7.7.7; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \"is required (password)\" { sleep 0.1; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 255
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
contain 'pamtester: successfully authenticated'
contain 'Permission denied'
@ -150,7 +155,7 @@ testsuite_mfa()
# add to JIT MFA group
script mfa a0_add_a3_as_member "echo 'set timeout 30; \
spawn $a4 --osh groupAddMember --group $group3 --account $account3; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
@ -187,25 +192,25 @@ testsuite_mfa()
# change our password
a4_password_new="rkw=*Ffyqs23"
if [ "$HAS_MFA" = 1 ]; then
if [ "$HAS_MFA" = 1 ] || [ "$HAS_MFA_PASSWORD" = 1 ]; then
script mfa a4_change_pass "echo 'set timeout 30; \
spawn $a4 --osh selfMFASetupPassword --yes; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { send \"$a4_password_new\\n\"; }; \
expect \":\" { send \"$a4_password_new\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password_new\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password_new\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
else
script mfa a4_change_pass "echo 'set timeout 30; \
spawn $a4 --osh selfMFASetupPassword --yes; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { send \"$a4_password_new\\n\"; }; \
expect \":\" { send \"$a4_password_new\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password_new\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password_new\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
@ -219,16 +224,16 @@ testsuite_mfa()
a4_password="$a4_password_new"
unset a4_password_new
if [ "$HAS_MFA" = 1 ]; then
if [ "$HAS_MFA" = 1 ] || [ "$HAS_MFA_PASSWORD" = 1 ]; then
script mfa a4_connect_with_pass "echo 'set timeout 30; \
spawn $a4 --osh groupList; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
json .command groupList .error_code OK_EMPTY
fi
@ -241,10 +246,10 @@ testsuite_mfa()
json .error_code OK .command accountModify .value.mfa_totp_required.error_code OK_NO_CHANGE
# now try to connect with account4
if [ "$HAS_MFA" = 1 ]; then
if [ "$HAS_MFA" = 1 ] || [ "$HAS_MFA_PASSWORD" = 1 ]; then
script mfa a4_connect_with_totpreq "echo 'set timeout 30; \
spawn $a4 --osh groupList; \
expect \":\" { send \"$a4_password\\n\"; }; \
expect \":\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
@ -258,14 +263,14 @@ testsuite_mfa()
# setup totp
script mfa a4_setup_totp "echo 'set timeout 30; \
spawn $a4 --osh selfMFASetupTOTP --no-confirm; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Password:'
contain REGEX 'Password:|Password for'
a4_totp_code_1=$(get_stdout | grep -A1 'Your emergency scratch codes are:' | tail -n1 | tr -d '[:space:]')
#a4_totp_code_2=$(get_stdout | grep -A2 'Your emergency scratch codes are:' | tail -n1 | tr -d '[:space:]')
@ -275,7 +280,7 @@ testsuite_mfa()
# login and fail without totp (timeout)
script mfa a4_connect_after_totp_fail "echo 'set timeout 30; \
spawn $a4 --osh groupList; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
@ -284,30 +289,30 @@ testsuite_mfa()
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).'
contain 'Your password expires on'
contain 'in 14 days'
contain 'Password:'
contain REGEX 'Password:|Password for'
contain 'Verification code:'
nocontain 'JSON_OUTPUT'
# success with password + totp
script mfa a4_connect_after_totp_ok "echo 'set timeout 30; \
spawn $a4 --osh groupList; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"code:\" { send \"$a4_totp_code_1\\n\"; }; \
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \"code:\" { sleep 0.2; send \"$a4_totp_code_1\\n\"; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
exit \$value' | expect -f -"
retvalshouldbe 0
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).'
contain 'Password:'
contain REGEX 'Password:|Password for'
contain 'Verification code:'
json .command groupList .error_code OK_EMPTY
# totp scratch codes don't work twice
script mfa a4_connect_after_totp_dupe "echo 'set timeout 30; \
spawn $a4 --osh groupList; \
expect \"word:\" { send \"$a4_password\\n\"; }; \
expect \"code:\" { send \"$a4_totp_code_1\\n\"; }; \
expect \"word:\" { sleep 0.2; send \"$a4_password\\n\"; }; \
expect \"code:\" { sleep 0.2; send \"$a4_totp_code_1\\n\"; }; \
expect \"word:\" { exit 222; }; \
expect eof; \
lassign [wait] pid spawnid value value; \
@ -315,7 +320,7 @@ testsuite_mfa()
retvalshouldbe 222
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (password).'
contain 'Multi-Factor Authentication enabled, an additional authentication factor is required (OTP).'
contain 'Password:'
contain REGEX 'Password:|Password for'
contain 'Verification code:'
nocontain 'JSON_OUTPUT'